Unified encryption configuration management and setup system

ABSTRACT

The present technology relates to the field of configuration and setup of encrypted computer network transmission systems. In particular, the present technology relates to setting up and configuring network encryption systems, including MACsec, Internet Protocol Security (IPsec), and TLS protocols, in heterogeneous networks over Wireless Area Networks (WAN), Wireless Local Area Network (WLAN) or cellular links. In some embodiments, the present technology includes a method for setting up, configuring, and monitoring of encryption equipment providing encrypted links over WAN connections (typically IPsec VPN gateways and clients or TLS applications). The method includes communicating with encryption and PKI equipment necessary to automate the generation of encryption keys, digital certificates, and digital certificate signing requests. The method further includes communicating with the encryption equipment on one or both sides of an encrypted link to create security associations, and link encryption parameters, necessary for the encryptors to negotiate and establish encrypted links.

CROSS-REFERENCE TO RELATED APPLICATION

The present application claims priority to U.S. Provisional ApplicationNo. 62/333,119, filed May 6, 2016, titled “UNIFIED ENCRYPTIONCONFIGURATION MANAGEMENT AND SETUP SYSTEM,” which is incorporated hereinby reference.

TECHNICAL FIELD

The present disclosure relates to the field of configuration and setupof encrypted computer network transmission systems.

BACKGROUND

Conducting mission critical operations in field, emergency, temporary,remote or distributed situations requires communications systems thatmaintain Confidentiality, Integrity, and Availability (CIA).Organizations must maintain CIA when using network-based, wired,line-of-site radio, radio, cellular, microwave, laser or SatelliteCommunication (SATCOM)-based communications, especially when relying onthird parties to provide network communications transport services, orwhen using wireless communications technologies where transmission canbe easily intercepted. To maintain CIA, organizations can use variousencryption technologies at various technology layers, including, but notlimited to, the ISO (International Organization for Standardization)data link, network, or transport layers. Organizations use protocolsthat include Media Access Control Security (MACsec), Virtual PrivateNetwork (VPN), or Secure Sockets Layer/Transport Layer Security(SSL/TLS) to ensure that information transmission cannot be stolen,tampered with, or disrupted. However, the setup and configuration ofsystems used to implement encryption in transit are exceedingly complex,and easy to mis-configure, which leads to downtime or poor securityconfigurations that leave information vulnerable. Exacerbating theproblem is the increasing use of a Public Key Infrastructure (PKI),which is used to distribute and manage encryption keys required on bothsides of an encrypted link. PKI systems add a layer of complexity thatis well beyond the training and expertise of most networkingprofessionals, which leads to additional downtime and securityvulnerabilities.

Organizations that need to deploy transmission security over largedistances, or in dangerous or remote locations, are disadvantaged bycurrent technology due to a lack of trained staff able configure andmanage link encryption technology. In addition to setup, andconfiguration changes that are required to adjust to changingcircumstances, the management of digital certificates and encryptionkeys adds additional technical skills not typically available indangerous or remote locations, which makes the implementation of linkencryption in transit difficult and expensive.

Recent advancements in encryption technologies now available inCommercial-Off-The-Shelf (COTS) equipment have been deemed secure enoughby the United States National Security Agency (NSA), when configuredcorrectly, to be used by United States military, intelligence, andcivilian organizations to implement link encryption for the transmissionof classified information, up to and including Top Secret information.The NSA approves these types of systems under a new program called“Commercial Solutions for Classified” (CSfC). To be approved under thisprogram, however, organizations must deploy two sets of encryptiontechnology, each from a different vendor (or using different, unrelatedplatforms). While this new capability enables a variety of new,important use cases, it implements additional complexity that requiresyet even more training and configuration.

To deploy these systems, organizations typically include various typesof networking and security equipment, including routers (used to directthe flow of voice/data), optimization equipment (used to reduce the sizeof network traffic over long distance radio links), VPN gateways andclients (providing encryption), firewalls, intrusiondetection/prevention systems, event log managers, servers, CertificateAuthorities (CA), and time servers. For systems that include encryptedWide Area Network (WAN) access, systems may include digital radios andsatellite modems. For systems that include encrypted Wi-Fi or cellularaccess, equipment can include Wi-Fi or base station routers, wirelesscontrollers, packet cores, and mobile device managers. Lastly, usersthat connect to such systems may use devices such as laptops,smartphones, and tablets that also participate in the encryptionsolution by hosting encryption endpoint (client) technology.

Almost always, the equipment listed above is manufactured by differentcompanies, providing different services, each with unique userinterfaces and operator training requirements. This results in expensivetraining costs to educate operators on the equipment, lengthy setuptimes that often result in communications delays, system orcommunications downtime, including when equipment is mis-configured, andsystem unavailability, such as when a lack of trained experts results insystems being left unused. Perhaps as misleading for these types ofsystems is when they are configured to “work”, but do so in an insecuremanner—leading to organizations placing trust in untrustworthy systems.

In order to set up and configure the equipment appropriately, operatorsmust be trained to diagnose and troubleshoot multiple, different,network, and security devices. In some cases, due to security policiesin organizations requiring separation of duties, a single trained personmay not be able to troubleshoot a problem—for example where a VPNadministrator does not have sufficient authority to use a CA to sign acertificate. In such a case, end-to-end troubleshooting is madedifficult because of errors introduced in handing off tasks from oneindividual to another, particularly when multiple manual steps arerequired.

SUMMARY

The present technology provides computer application software,machine-readable medium, systems and methods for setting up andconfiguring PKI-enabled network encryption systems, including MACsec,Internet Protocol Security (IPsec), and TLS protocols, in heterogeneousnetworks over WAN, Wireless Local Area Network (WLAN) or cellular links,that overcome drawbacks in the prior art and provide other benefits. Atleast one embodiment provides a method of setting up or configuringencryption links in a communication network having a plurality ofoperatively-interconnected network devices. The method includes settingup, configuring and monitoring of encryption equipment providingencrypted links over WAN connections (typically IPsec VPN gateways andclients or TLS applications). The method includes communicating withencryption and PKI equipment necessary to automate the generation ofencryption keys, digital certificates, and digital certificate signingrequests—necessary for encryption equipment to perform Internet KeyExchange (IKE). The method further includes communicating with theencryption equipment on one or both sides of an encrypted link to createsecurity associations, and link encryption parameters, necessary for theencryptors to negotiate and establish encrypted links. The method alsoincludes validation of the configuration to an organization'sconfiguration standards, monitoring of certificate expiration dates, andmonitoring of the status of the encryption equipment—ensuring that thesystem continues to operate in a secure manner over time.

Another embodiment of the technology provides a machine-readable mediumstoring instructions that, if executed by a computing system having aprocessor, cause the computing system to perform the described tasksabove to encrypt links over WAN, WLAN or cellular network connections,where one side of the encrypted link may be an encryption gateway (suchas an IPsec VPN gateway) and where the other side of the link is amobile device such as a laptop, smartphone, or tablet, equipped withmatching software encryption technology—or where the mobile device isequipped with a supplemental encryption device.

Another embodiment of the technology provides a machine-readable mediumstoring instructions that, if executed by a computing system having aprocessor, cause the computing system to perform the described tasksabove to encrypt links over WAN, WLAN or cellular connections, where oneside of the encrypted link may be an application server (such as a webserver, email server, voice-over-IP proxy, or database server) usingSSL/TLS (and Secure Real-time Transport Protocol (SRTP) for real-timetraffic) at the session layer for encryption, and where on the otherside of the link is a client-side application using SSL/TLS or SRTP,which may be hosted on a mobile device.

In all of the embodiments above, each type of link may be encrypted morethan once, in a tunneled fashion, so that the encrypted link isprotected by two or more layers of encryption. In this fashion, if onelayer of encryption is breached, a second layer provides additionalprotection. In such a configuration, two instances of the technology maymanage each layer of encryption independently, using similar methods anduser interfaces, automating each layer independently, but providingreduced training requirements. The technology may also manage bothlayers of encryption of a single instance of the technology, whensupplemented with cross-domain technologies or when configured in anorganizationally-approved configuration.

In some embodiments, the present technology includes a method toestablish encrypted communications where the method comprises:maintaining a dataset of default encryption values for implementing aselected one of a plurality of encryption policies associated with oneor more organizations; querying, via a graphical user interface (GUI), auser to input values for configuring an encryption device; sending theinput values over either in-band or out-of-band communications methods,and at least a portion of the default encryption values to theencryption device for configuring the encryption device based on theselected one of the plurality of encryption policies; based on the inputvalues and the at least a portion of the default encryption values,sending first instructions to the encryption device to a generateprivate key and a certificate signing request or performing thegeneration of the private key and the certificate signing request onbehalf of the encryption device; transmitting the certificate signingrequest to a certificate authority for signature; sending secondinstructions to the certificate authority to sign the certificatesigning request; and transmitting the signed certificate to theencryption device, wherein the transmitting the signed certificate tothe encryption device causes the encryption device to load the signedcertificate for use in establishing and maintaining encryptedcommunication in accordance with the selected one of the plurality ofencryption policies.

The method can include querying, via the GUI, the user to input secondinput values for configuring a second encryption device; sending thesecond input values and a second portion of the default encryptionvalues settings to the second encryption device for configuring thesecond encryption device based on a selected second one of the pluralityof encryption policies; sending third instructions to the secondencryption device to generate a second private key and a secondcertificate signing request or performing the generation of the secondprivate key and the second certificate signing request on behalf of thesecond encryption device; transmitting the second certificate signingrequest to the first certificate authority or second certificateauthority for signature; sending fourth instructions to the first orsecond certificate authority to sign the second certificate signingrequest; and transmitting the second signed certificate to the secondencryption device, wherein the transmitting the second signedcertificate to the second encryption device causes the second encryptiondevice to load the second signed certificate for use in establishing andmaintaining encrypted tunnels for communication. The encrypted tunnelsare partially based on the first encryption device implementingencryption at a first layer of a communication stack and the secondencryption device implementing encryption on a second layer of thecommunication stack.

The method can include implementing a separation of duties method, whichincludes causing a management system, in response to the first user, tocause the certificate signing request to be generated on the encryptiondevice, and wherein the management system queues the certificate signingrequest for a second user for approval; sending, via the managementsystem, the certification signing request to the certificate authorityto causes the certificate signing request to be signed; and retrieving,via the management system, the signed certificate and loading it on theencryption device, or queuing it for the first user, wherein the firstuser causes the management system to load the signed certificate ontothe encryption device.

In some implementations, the present technology includes a method forincorporating two methods of encryption concurrently or together. Themethod includes a first encryption device, first input values, a firstprivate key, a first certificate signing request, and querying, via theGUI, a user to input second input values for configuring a secondencryption device. The method further includes sending second inputvalues and a second portion of default encryption values settings to asecond encryption device for configuring the second encryption devicebased on a selected second one of the plurality of encryption policies;sending instructions to the second encryption device to generate asecond private key and a second certificate signing request orperforming the generation of the second private key and the secondcertificate signing request on behalf of the second encryption device;transmitting the second certificate signing request to the certificateauthority or another certificate authority for signature; sendinginstructions to the certificate authority or another certificateauthority to sign the second certificate signing request; andtransmitting the second signed certificate to the second encryptiondevice, wherein the transmitting the second signed certificate to thesecond encryption device causes the second encryption device to load thesecond signed certificate for use in establishing and maintainingencrypted tunnels for communication, wherein the encrypted tunnels arepartially based on the first encryption device implementing encryptionat a first layer of a communication stack and the second encryptiondevice implementing encryption on a second layer of the communicationstack.

Another aspect of the present technology provides a computer securitysystem having a management system configured to maintain a dataset ofdefault encryption values for implementing a selected one of a pluralityof encryption policies associated with one or more organizations, and tovalidate and load multiple encryption methods for multiple devices onbehalf of the multiple devices based upon the default encryption valuesand one or more of the plurality of encryption policies. A provisioningsystem is configured to implement the configuration of the multipleencryption methods associated with the plurality of encryption policiesand on behalf of the multiple devices. A graphical user interface (GUI)system is configured to provide an encryption status of the multipledevices and configured to receive a request to stop an encryptionsession for at least one of the multiple devices.

BRIEF DESCRIPTION OF DRAWINGS

Embodiments of the present technology are described by way of exemplaryembodiments, but not limitations, illustrated in the accompanyingdrawings in which like references denote similar elements, and in which:

FIG. 1 illustrates a typical communications network transmittinginformation over an untrusted WAN link with encryption gateways oneither side. One side provides a PKI infrastructure including a CA and aCRL (Certificate Revocation List) Distribution Point (CDP) or OnlineCertificate Status Protocol (OCSP) responder, along with enterpriseservices (such as email, voice PBX (Private Branch Exchange), VTC (VideoTeleconferencing) MCU (Multipoint Control Unit), file storage, database,etc.). The other side represents a remote network extension providingaccess to one or more computers. The network is set up, monitored, andconfigured by the present technology.

FIG. 2A illustrates a network similar to FIG. 1, with the addition of asecond layer of encryption and PKI infrastructure (each devicepre-pended with “Inside”). This second layer tunnels encrypted trafficinside the first encrypted tunnel from FIG. 1, implemented withcomponents re-labelled with a pre-ended “Outside” label. The network isset up, monitored, and configured by the technology.

FIG. 2B illustrates an alternate embodiment of the CSfC WAN VPNconfiguration, where the inside IPsec VPN system is replaced by atransport layer encryption solution utilizing PKI. The IPsec VPN gatewayis replaced by one or more servers running application software with TLSencryption, achieving two layers of tunneled encryption.

FIG. 3A illustrates a typical communications network transmittinginformation over an untrusted local wireless link using an encryptiongateway and a PKI infrastructure including CA and CRL Distribution Point(CDP), along with enterprise services. The communications aretransmitted over wireless links, and are provided to any type of mobiledevice. The mobile devices encrypt/decrypt the communications usingclient VPN software loaded on the devices, or using supplementalhardware devices.

FIG. 3B illustrates an alternative embodiment of FIG. 3A. In thisillustration, a second layer of IPsec VPN is implemented, with an IPsecVPN gateway on the infrastructure side of the untrusted network, withdual VPN clients loaded on the mobile End Users' Devices (EUDs).

FIG. 3C illustrates a configuration similar to FIG. 3A. In thisembodiment, the Outside CA resides on the “inside network”. Access tothe Outside CA is performed through routing or network configuration,out-of-band for management or CRL distribution, or through systemsapproved for cross-domain access.

FIG. 3D illustrates a configuration that uses TLS-protected applicationsin place of IPsec VPN gateways, and matching TLS clients loaded onmobile EUDs. Using this method, the configuration achieves two layers ofencryption.

FIG. 3E illustrates a configuration similar to FIG. 3A, but with theaddition of a PKI-enabled infrastructure controlling a Wi-Fiinfrastructure, and using Wi-Fi encryption such as WPA2 (Wi-Fi ProtectedAccess II). In this instance, the outside encryption tunnel is Wi-Fi,and the inside encryption tunnel is IPsec VPN.

FIG. 3F illustrates an alternative embodiment of the PKI subcomponents.Shown is an “Online CA” architecture that assumes that the CA isavailable to the network at any time, and that it is (optionally)operatively coupled to a CDP or OCSP responder, or that those functionsare integrated into the CA.

FIG. 3G illustrates an alternative embodiment of the PKI subcomponents,shown in the “Offline CA” configuration, the Management System providesthe CDP or OCSP responder functions for the network, and the CA may betaken offline when not performing certificate signing tasks.

FIG. 4 illustrates the software logic flowchart implementing anembodiment of the present technology.

FIG. 5A illustrates the software logic flowchart implementing anembodiment of the present technology. In this embodiment, the systemincludes the use of a provisioning workstation that generates keys andmanages provisioning for mobile devices.

FIG. 5B illustrates the software logic in FIG. 5A, with the addition ofdecision points and processes whereby the Management System generatesCSRs (Certificate Signing Requests) and keys on behalf of an encryptiondevice that does not have those capabilities. It also illustrates anadded decision point and process enabling security administrators topre-approve the signing of a CSR, prior to that function being allowed.

FIG. 5C illustrates a sub-process where the Management System determinesallowable and available transmission means for transmitting a CSR froman encryption device to a CA. This includes the process for writing theCSR to removable media, and transferring the CSR to the CA in a manual“air-gapped” manner.

FIG. 6 illustrates an exemplary setup/configuration Wizard screenrequesting input from users, to be used in setting up configuration onencryption devices.

FIG. 7 illustrates an exemplary setup/configuration Wizard screenconfirming settings to be applied to an encryption device.

FIG. 8 illustrates an exemplary setup/configuration Wizard screenrequesting settings information from users, to be used in the generationof keys, certificates, and CSRs.

FIG. 9 illustrates an exemplary setup/configuration Wizard screendisplaying the status of the digital certificate generation,transmission, signing, and loading process.

FIG. 10 illustrates an exemplary status screen showing connectivity andstatus between multiple (tunneled) encryption devices over a WAN link,with additional status information of enterprise services and EUDs.

FIG. 11 illustrates an exemplary status screen showing status of a liveVPN tunnel, as reported by a remote, inner VPN gateway-encryptiondevice.

FIG. 12 illustrates an exemplary status screen showing status issued(signed) digital certificates to be used as device and usercertificates, as reported by a CA.

FIG. 13A illustrates a software module architecture in accordance withan embodiment of the present disclosure, showing a Graphical UserInterface (GUI), monitoring components, wizard module, and deviceinterfaces, where the GUI is operatively coupled to any number ofnetwork devices, including encryption devices and PKI infrastructure.

FIG. 13B illustrates a software module architecture in accordance withan embodiment of the present disclosure, showing a separate (reducedfunctionality) instance of the Management System functioning as an Agentor a Provisioning System.

DETAILED DESCRIPTION

The present disclosure describes systems, methods, processes andcomputer software in accordance with certain embodiments of the presentinvention. Several specific details of the invention are set forth inthe following description and the Figures to provide a thoroughunderstanding of certain embodiments of the invention. One skilled inthe art, however, will understand that the present invention may haveadditional embodiments, and that other embodiments of the invention maybe practiced without several of the specific features described below.

The technology, in accordance with at least one embodiment, provides thecomputer application software, related computer hardware and/or methods(referred to as “system”) related to creating an easy-to-use userinterface, automating and simplifying complex setup, configuration anddiagnostic tasks otherwise requiring extensive manual interaction (onthe part of highly trained advanced computer/network administrators)with a variety of computer network and encryption hardware and softwarecomponents, frequently from more than a single manufacturer, pertainingto encryption of information over untrusted network links.

The system can be configured to automate large portions of the processof setup and configuration of the network such that the networkingdevices perform correctly in environments where communication is missioncritical, but where the availability of highly-trained technicaladministrators may be limited, and where the process can be initiatedand supervised by non-experts.

The technology of an aspect of the present disclosure relates to thedeployment of IT (Information Technology) services by organizationsinvolved in performing work, services, or collaboration in ruggedlocations, in locations on a temporary basis, or in locations wheretransmission infrastructure is limited, unreliable, or over-subscribed.These types of organizations can include military groups, emergencyrelief agencies or medical teams, diplomatic and aid organizations, newsorganizations, dignitaries, and delegations of traveling officials. Italso includes law enforcement and emergency management agenciesresponding to disaster areas. It further includes organizations involvedin ensuring reliable operations of critical infrastructure such as (butnot limited to) health care organizations, energy production andtransmission infrastructure, agriculture, banking, and transportation.It also relates to organizations involved in remote work projects suchas oil exploration and extraction, mining, overseas construction, timberharvesting, and scientific exploration. It further relates toorganizations with mobile users needing access to confidentialinformation over wireless links in office or campus settings, mobileusers needing access to confidential information from untrusted wirelesslocations (e.g., “Starbucks” or “United Airlines In Flight”), or inlocations where wired infrastructure is unavailable such as on air-baseflight lines.

Embodiments of the technology of the present disclosure can beconfigured for applications that address field operations to enable thequick establishment of full “office communications” capabilities innetwork-starved environments, or that address construction needs toenable quick setup of communications for field management, surveillanceand other capabilities at construction locations prior to theestablishment of permanent networking/computing capabilities. Thetechnology can also be configured to address emergency backup systemsconfigured to enable quick setup of temporary or backup networks whereor when permanent IT equipment is damaged due to disaster. Thetechnology may also be configured for fixed infrastructure where onlylightly-trained administrators are available, or where advancedadministrators desire streamlined and time-saving configuration andmonitoring.

Aspects of this technology provide software systems equipped withautomated means to troubleshoot and diagnose multiple network andencryption devices, to ensure that transmission of data can be madesuccessfully, in a properly configured and encrypted form, whileproviding a single, integrated, user interface appropriate for noviceoperators.

Devices managed by the software may include servers, routers, firewalls,mobility controllers, and VPN gateways, VPN clients providing encryptionor PKI services, at any layer of the communications stack, includingMACsec, IPsec, SSL/TLS, etc. Devices may also include CAs, OCSPresponders, CDPs, and time servers. The software may also manageprovisioning of EUDs, such as smartphones, tablets, and laptops. Thedevices are typically developed/manufactured from a variety of vendors,since no one vendor creates all of the necessary technology to completethese systems, and in the case of CSfC systems, multiple-vendordiversity is required for security purposes.

In at least one embodiment, the management software may also managesupplemental devices integrated into the network, but not directlyrelated to the encryption/PKI services—in order to provide a morecomplete view of the network under one user interface. Such devices mayinclude devices such as (but not limited to) network switches, voicePBXs, radio infrastructure, radio controllers, WAN optimization devices,auditing and logging systems, and cyber security devices such asfirewalls, authentications systems, and IDSs (Intrusion DetectionSystems)/IPSs (Intrusion Prevention Systems), etc. Any or all of thedevices under management may be hardware appliances or software packagesdeployed locally, as virtual solutions, or in the cloud.

The management software can be an integrated computer application thatsets up, configures and monitors the functionality on a plurality ofencryption and PKI devices from multiple manufacturers, specificallydisplaying the parameters required for novice operators to initiate,supervise and ensure the system is configured and operating correctly.Aspects of the software and/or system can further include the ability tocollect and display information from multiple network and encryptiondevices, on command of the operator. The software can use heuristics todetermine misconfigured settings, and alert operators (directly, or tointegrated Security Information and Event Management (SIEM) or loggingsystems) to settings that are out of compliance with organizationalpolicies.

Specific types of tasks that the management software performs includeautomating the process of creating, validating and loading VPNconfiguration information into encryption equipment (hardware orsoftware), causing VPN equipment to generate public/private key pairs,causing VPN equipment to generate digital certificates such as in theX.509 format, and generating CSRs, or conducting such tasks on behalf ofVPN equipment. The software additionally orchestrates the transmissionand signing of the CSRs through online, in-band or out-of-band means (ineither case, over trusted networks), and also orchestrates the manualtransmission of CSRs and signed digital certificates (using removabledigital media such as USB drives or CD-ROM R/W) where organizationalpolicies prohibit online transmission. The process automates significantportions of these tasks, but also performs the tasks, initiated andsupervised by administrators.

The management software further configures and monitors CAs, providingsummary information about the status, use, and expiration ofcertificates. The software causes the CSRs to be processed, validated,and signed by CAs, so that they are ready for use by the VPN equipment.The management software may perform most or all of these functions “onbehalf of” the equipment, since many vendors equipment does not supportthe capability or does not support it with sufficient security to meetorganizational requirements. The CSR processing may be initiated by asingle step integrated into the user interface during the setup of anencryption device, or may be supplemented with an additional step thatrequires a second system/security administrator to approve the CSRrequest at the CA, or through the management software interface at theCA. This additional step may be performed by a security administratorwho is logged into the management software, with a different role thanthat of the person initiating the CSR request. By requiring thisseparate step, organizations can implement a strong “separation ofduties”-based process. In this mode, the management software can simplyrequire a “one button” confirmation from the CA security administrator,and then can proceed to sign the CSR and generate (and transmit) thesigned digital certificates. Both the end-to-end CSR signing processdescribed herein, and the process that requires simple securityadministrator confirmation “in the loop”, represents a substantialimprovement over the state of the art, where typical systems requireextensive manual, slow, and highly-error-prone processes for each step.While single vendors have attempted to create completely automated meansfor provisioning their own point solutions (such as the distribution ofpolicies between firewalls of a single “make”), these systems typicallydo not work across the entire process of provisioning as describedabove, nor do they include a “human-in-the-loop” process that ensuresstrong security oversight.

Additionally, the management software can cause CAs to generate CRLs,and to transmit them to CDPs via online in-band or out-of-band means, ormanual means. The CAs may be configured to transmit CRLs without furtherintervention from the management software, or the management softwaremay assist in that process, which may include human supervision.

The management software can configure VPN equipment from multiplevendors, to only accept VPN connections configured to meet stringentorganizational requirements. In the case of CSfC programs, that caninclude disabling any ability to accept VPN connection requests withparameters that are out of compliance with CSfC regulations, and canconfigure the devices to report any such attempts.

The management software provides methods to revoke digital certificates.Administrators may select from the list of issued certificates (singlyor in bulk), and may use the management software's user interface torevoke certificates, providing revocation dates and reasons forrevocation. The management software may provide the means toautomatically cause CRL updates and transmissions to be integrated intothat process. The management software may also communicate withencryption devices to immediately terminate active encryption sessionsassociated with revoked certificates. This process provides considerableintegration over the state of the art, which today requires manualintervention to terminate ongoing encrypted sessions—which would onlyotherwise be terminated at the expiration of session keys—exposingorganizations to significant security vulnerabilities.

The system has a GUI that may be run as a Windows, Linux, web-based, PDA(Android, etc.), or embedded application providing monitoring anddiagnostics that enable operators to use simple, GUI-based actions toview summary status and perform configuration tasks across multiplenetwork devices. The system of at least one embodiment also includes amonitoring and alerting system and interfaces to the devices in thenetwork via any available protocol or API (Application ProgrammingInterface) to retrieve status and performance information on a regularbasis, and on command. Protocols or APIs include Simple NetworkManagement Protocol (SNMP), Windows Management Instrumentation (WMI),Hypertext Transfer Protocol (HTTP), Secure Shell (SSH), TransmissionControl Protocol/Internet Protocol (TCP/IP), User Datagram Protocol(UDP), Serial, Remote Procedure Call (RPC), and application-specificprotocols.

The system can also include a software application running on a laptopor server presenting a GUI with screens used to view status andconfiguration results, or a monitoring/device interface portion of thesoftware application used to retrieve status, provide alerts, andcommunicate with the devices to change settings. The system includesdevices configured for the generation of encryption keys, signing ofdigital certificates, and encrypting communications. The system can alsoinclude software applications with heuristics used to detect errorsthrough the analysis and comparison of configuration settings againstorganizational policies.

The system can further have portions of the software running in adistributed manner, such that portions of the process are accomplishedby software agents. These agents may be run on computing devices such asservers, workstations, etc., and may be co-resident with other servicessuch as the CA, VPN gateways, and end devices. These agents may beoperatively coupled to portions of the encryption equipment or PKIequipment as required to accomplish portions of the methods. The agentsmay communicate with the other portions of the management system usingonline means, or may receive instructions, data, or files through manualtransfer means, when online means are not available or when policyprevents online connections between components of the system. The agentsmay have GUIs to enable supervision, and human-in-the-loop capabilities.

Although not required, aspects of the technology described herein can beembodied as special-purpose hardware (e.g., circuitry), as programmablecircuitry appropriately programmed with software and/or firmware, or asa combination of special-purpose and programmable circuitry. Thetechnology may be implemented as computer-executable instructions, suchas routines executed by a general or special purpose data processingdevice (e.g., a server or client computer). Aspects of the technologydescribed herein may be stored or distributed on tangiblemachine-readable medium, including, but not limited to, floppydiskettes, optical disks, Compact Disc Read-Only Memories (CD-ROMs),magneto-optical disks, ROMs (Read-Only Memories), Random Access Memories(RAMs), Erasable Programmable Read-Only Memories (EPROMs),Electrically-Erasable Programmable Read-Only Memories (EEPROMs),magnetic or optical cards, flash memory, magnetically or opticallyreadable computer discs, hard-wired or preprogrammed chips (e.g., EEPROMsemiconductor chips), nanotechnology memory, biological memory, or othertype of media/machine-readable medium suitable for storing electronicinstructions. Alternatively, computer-implemented instructions, datastructures, screen displays, and other data related to the technologymay be distributed over the Internet or over other networks (includingwireless networks), on a propagated signal on a propagation medium(e.g., an electromagnetic wave(s), a sound wave, etc.) over a period oftime. In some implementations, the data may be provided on any analog ordigital network (packet switched, circuit switched, or other scheme).

The techniques introduced here can be embodied as special-purposehardware (e.g., circuitry), as programmable circuitry appropriatelyprogrammed with software and/or firmware, or as a combination ofspecial-purpose and programmable circuitry. Hence, embodiments mayinclude a machine-readable medium having stored thereon instructionsthat may be used to program a computer (or other electronic devices) toperform a process. The machine-readable medium may include, but is notlimited to, floppy diskettes, optical disks, CD-ROMs, magneto-opticaldisks, ROMs, RAMs, EPROMs, EEPROMs, magnetic or optical cards, flashmemory, or other type of media/machine-readable medium suitable forstoring electronic instructions. Computers may employ Central ProcessingUnit (CPU) or processor to process information. Processors may includeprogrammable general-purpose or special-purpose microprocessors,programmable controllers, Application-Specific Integrated Circuits(ASICs), Programmable Logic Devices (PLDs), embedded components, acombination of such devices, and the like. Processors execute programcomponents in response to user and/or system-generated requests. One ormore of these components may be implemented in software, hardware, orboth hardware and software. Processors pass instructions (e.g.,operational and data instructions) to enable various operations.

The phrases “in some embodiments,” “according to some embodiments,” “inthe embodiments shown,” “in other embodiments,” and the like generallymean that the particular feature, structure, or characteristic followingthe phrase is included in at least one implementation of the presenttechnology, and may be included in more than one implementation. Inaddition, such phrases do not necessarily refer to the same embodimentsor different embodiments.

The computing devices on which the system is implemented may include acentral processing unit, memory, input devices (e.g., keyboard andpointing devices), output devices (e.g., display devices), and storagedevices (e.g., disk drives). The memory and storage devices aremachine-readable medium that may be encoded with computer-executableinstructions that implement the system, which means a machine-readablemedium that contains the instructions. In addition, the instructions,data structures, and message structures may be stored or transmitted viaa data transmission medium, such as a signal on a communications link,and may be encrypted. Various communications links may be used, such asthe Internet, a LAN (Local Area Network), a WAN, a point-to-pointdial-up connection, a cell phone network, and so on.

In accordance with some embodiments of the present technology, thememory can encompass any type of, but is not limited to, volatilememory, nonvolatile memory, and dynamic memory. For example, the memorycan be random access memory, memory storage devices, optical memorydevices, media magnetic media, floppy disks, magnetic tapes, harddrives, SDRAM, RDRAM, DDR RAM, EPROMs, EEPROMs, CDs, DVDs, and/or thelike. In accordance with some embodiments, the memory may include one ormore disk drives, flash drives, databases, tables, files, local cachememories, processor cache memories, relational databases, flatdatabases, and/or the like. In addition, those of ordinary skill in theart will appreciate many additional devices and techniques for storinginformation that can be used as memory.

Embodiments of the system may be implemented in and used with variousoperating environments that include personal computers, servercomputers, handheld or laptop devices, multiprocessor systems,microprocessor-based systems, programmable consumer electronics, digitalcameras, network PCs, minicomputers, mainframe computers, computingenvironments that include any of the above systems or devices, and soon.

Embodiments of the system may be implemented inside various operatingenvironments where virtual machine hypervisors are used to host multipleoperating systems and multiple instances of the management system on asingle hardware host. Using the security properties of hypervisors, itmay be possible to use a single hardware host to practice multipleinstances, each connected to networks of different securityclassifications.

Using cross-domain guards or “reference monitors”, the system may beconfigured such that a single instance of the management system connectsto and controls encryption and PKI components residing in networks ofdifferent classifications.

The system may be described in the general context ofcomputer-executable instructions, such as program modules, executed byone or more computers or other devices. Generally, program modulesinclude routines, programs, objects, components, data structures, and soon that perform particular tasks or implement particular abstract datatypes. Typically, the functionality of the program modules may becombined or distributed as desired in various embodiments.

From the foregoing, it will be appreciated that specific embodiments ofthe technology have been described herein for purposes of illustration,but that various modifications may be made without deviating from thespirit and scope of the described technology. For example, the describedtechnology is applicable to any wireless device that implements anOver-The-Air (OTA) mechanism, including cellular phones, PDAs, and otherwireless devices. Accordingly, the technology is not limited except asby the appended claims.

FIG. 1 illustrates the base example of an embodiment of the presenttechnology. This configuration provides a single layer of IPsec VPNencryption of communications over an untrusted network 150 such as acellular network perhaps operated by a commercial carrier, even overseasin hostile environments. Other untrusted networks would includelong-distance Internet carriers, commercial SATCOM providers, or anynetwork out of the control of the information owner. In such networks,an organization may control the equipment on either side of the network,and may rely on the encryption equipment to secure the information intransit.

At an organization's headquarters, datacenters, or “teleports”, theorganization can deploy IPsec VPN gateways 130 providing encryption forall data ingressing/egressing the organization, typically to/from anynumber of enterprise data services 140 such as email services, voicePBXs, video teleconferencing, access to shared file storage, access toenterprise applications such as accounting, etc.

The information is encrypted/decrypted on the “remote” side of theuntrusted network with a remote IPsec VPN gateway 160, as wouldtypically be deployed in a corporation's branch office, in a retailorganization's retail outlet, in a hotel chain's hotel, or at aremote/forward military base or communications vehicle. Remote usersrequiring access to enterprise services 140 are able to access thoseservices transparently, because encryption/decryption is taken care ofby the IPsec gateways.

FIG. 1 illustrates a peer-to-peer architecture over the untrustednetwork. However, in reality, many implementations will have multipleremote sites, even hundreds or thousands. To simplify and secureencryption key management, organizations are looking to PKI, whichprovides substantial security benefits, such as the ability to renew andrevoke keys “over the air”, in this case, through the untrusted network,150 eliminating the need to travel to remote sites to perform managementtasks (a task that is typical in the Department of Defense (DoD) withcurrent classified encryptors). The backbone of the PKI infrastructurein FIG. 1 is the CA 110 and Certificate Revocation List (CRL)Distribution Point (CDP) or OCSP responder 120. The CA's primary role isto sign digital certificates, a critical step required to enable mutualauthentication of a device or user's public key. The CDP and OCSPresponder have functionally-equivalent roles. They provide access to thelist of revoked digital certificates. (A revoked certificate is onewhich is deemed insecure because it was lost, stolen or otherwisecompromised.)

The Management System 100 described herein in accordance with at leastone embodiment of the present technology is operatively coupled to (buttypically separate from) one or more components within the PKI andencryption system, providing a GUI to operators for setup,configuration, monitoring, and troubleshooting purposes. The system 100may be connected 200, 210, 220 in-band, using the primary communicationsmethods to communicate with the components, or may connect out-of-band,using separate VLANs, separate networks or using serial connections. Inany of the cases, it's assumed the system 100 uses trustedcommunications means to perform its management and configuration tasks,such that no management functions are conducted over the untrustednetwork without encryption. In one embodiment, system 100 performs theinitial configuration on the IPsec VPN Gateway 160 (and other devices inthe remote infrastructure 170 and End User Devices 180/190) prior to thedevices being transported to its destination. In some configurations(illustrated in FIG. 3B through FIG. 3G), communications may consist ofseparate instances of the management software of the same or differentmakeup, where data is transferred manually via removable media, inaccordance with organization policies that may require “air-gapped” datatransfer, particularly where cross-domain transfer is required.Additionally, subsets of the system may be co-resident with componentsof the systems, where components do not have management communicationscapabilities that can be remotely integrated into the management system,or where administrators need to perform manual steps to conduct aprocedure. For example, an agent of the system may reside on the CA 110,conducting communications between the Management System 100_and the CA110. As illustrated in the following flow charts and screens, theManagement System 100 communicates with one or both IPsec VPN gateways130, 160, as well as the CA 110, and may indirectly cause the CA topublish a CRL to be loaded automatically, manually, or with an“air-gapped” procedure onto the CDP or OCSP responder 120.

FIG. 2A illustrates a further embodiment of the system 100 in FIG. 1,operatively coupled to configure encryption equipment in a PKIinfrastructure, and performing encryption of data in transit over anuntrusted network. In this configuration a second set of IPsec VPNequipment 200, 250 is installed at both the HQ (Head Quarters)/NOC(Network Operations Center)/Teleport and remote sites. The equipment isplaced “in-line”, providing an additional level of encryption. Thusattackers present in the untrusted network would need to first break theoriginal (outside) encryption implemented by the first set of VPNequipment, then break through the second layer (inside) layer ofencryption, in order to access unencrypted information. This insidelayer of encryption is complemented with a CA 210 and CDP/OCSP responder220 providing services to the inside network.

The two layers of infrastructure are ideally provided by equipment fromdifferent manufacturers, such that if a vulnerability is found in onemanufacturer's equipment, that vulnerability can be fixed before asimilar one is found in the second manufacturer's equipment. Thisdiversity of manufacturers provides substantially enhanced protection,but adds complexity. The Inside Management System 240 can provide asimilar, if not identical, user interface for system administrators,even when the encryption and PKI equipment in each layer (inside andoutside) has completely different user interfaces.

Another embodiment of the system (not shown) includes the ability for asingle instance of the management system to be operatively coupled toboth sets of encryption equipment in any of the dual-layerconfigurations described herein, where allowed and configured inaccordance with organizational policies. In such instances the additionof a cross-domain guard or “reference monitor” may be required to assurethat no information other than the management information crosses fromthe inner to the outer layer systems.

FIG. 2B illustrates a configuration similar to FIG. 2A, but, instead ofIPsec VPN Gateways providing an inner layer of encryption, enterpriseservices are provided by transport layer security typically implementedby software residing on servers, known as TLS protected servers 225.Examples of services with integrated TLS encryption include emailservers, web servers, voice/video session controllers/proxies such asvoice PBX, VTC MCU, etc. On the remote side of the untrusted network,the second remote VPN gateway from FIG. 2A is removed, and insteadclient application software (web browsers, email clients, voice clients)is loaded on EUDs (laptops). These client applications are equipped withTLS encryption clients that match the HQ-side TLS-protected servers. Onespecial type of TLS system is Virtual Desktop Infrastructure (VDI) orVirtual Mobile Infrastructure (VMI) solutions that use TLS forcommunications. In those environments, any desktop or mobile applicationcan be secured with matching thin-client application containers onremote EUDs. FIG. 2B Item 280 shows the inside Management Systemoperatively coupled to the EUD TLS client application. This may beperformed in-band, out-of-band, or air-gapped and manual, particularlyfor the transfer and provisioning of digital certificates. Additionally,agents or subsets of the management system may be deployed on EUDs toassist with secure communications needs. As with System 100 in FIG. 1,its assumed that the inside Management system communicates with thedevices under management through a trusted network, and thatconfiguration tasks may be performed prior to the devices beingtransported to the final destination.

FIG. 3A illustrates a system using an IPsec VPN component securingtransmission over wireless infrastructure to mobile devices. Thisillustration shows an HQ/NOC/Teleport architecture similar to FIG. 1.However, the untrusted network is specifically wireless in nature, andthe EUDs 380, 390, 400 are mobile devices that wirelessly connect to anuntrusted network such as a Wi-Fi 350 or cellular 360 network, asopposed to using a remote IPsec VPN gateway for encryption/decryptionservices as shown in FIG. 1. In this architecture, users may use EUDsthat are unmodified COTS equipment that operate just like anycommercial/consumer EUD, so long as a correctly configured,software-based encryption solution is loaded/integrated on the device.Because the VPN equipment and VPN clients running on EUDs areindependent of the radio infrastructure such as Wi-Fi 350 or cellular360, the data is encrypted over any channel, and devices may roam acrossradio infrastructures without any reconfiguration required. TheManagement System 300 manages the CA 310, CDP/OCSP responder and IPsecVPN gateway 320 at the HQ/NOC/Teleport. The Management System may have aseparate instance of the software, a subset of the software, or an agentrunning on a separate host, acting as a Provisioning System 370.

The Provisioning System is temporarily operatively coupled to EUDs 380,390, 400 to perform initial configuration and setup of VPN clientsoftware (which may be built into the EUD's operating system, may be runas a service, or may be a separate software application) residing onEUDs. The Provisioning System may use USB connectivity, Ethernet, orwireless transmission 460 to perform this provisioning step. TheProvisioning System 370 may further consist of an agent or softwaresubsystem loaded on the EUDs to assist in this process if the OperatingSystem (OS) or VPN client does not support all functionality required toaccomplish the provisioning. For example, this may be the case where amobile device's VPN client software is unable to generate apublic/private key pair, or where that functionality does not includethe ability to transmit CSRs using online means. In this case, theProvisioning System may cause the device to generate key pairs andcommunicate the CSRs, and may provide the communications infrastructurenecessary to transmit the CSRs to the Management System 300 through thetrusted transmission link 430, which, in turn causes the CA 310 to signand return valid digital certificates, which, in turn, are installed onthe EUDs by the Provisioning System. In the case where the EUD does nothave the ability to generate keys at all, the Provisioning System maygenerate keys on behalf of the EUD, then follow similar procedures asoutlined above to cause those keys to be validated and loaded on theEUDs. The Provisioning System may perform all of its functions in anautomated manner, but in one embodiment requires operator initiation ofthe process, with operator supervision and confirmation, to ensuresecurity procedures (per organizational requirements) are met.

FIG. 3B illustrates a configuration of the system similar to FIG. 3A,but includes the addition of a second set of encryption and PKIequipment 325, 326, 327, (labelled “inside”) at the HQ/NOC/Teleport. Inthis embodiment, two tunneled IPsec VPN gateways provide dualencryption, further protecting the data in transmission. The “inside”equipment is set up, configured, and monitored by a second instance ofthe system 328. In this configuration, the EUDs host two VPN clients,providing matching encryption/decryption to the dual IPsec VPN gateways.A single Provisioning System 370 may be used to provide both of the EUDVPN clients, or the system may be configured to use two independentprovisioning systems, depending on organizational policies.

FIG. 3C illustrates an embodiment similar to FIG. 3B, where the OutsideCA 310 resides and is connected to the inside network equipment for theadded security of two IPsec VPN Gateways. In any of the embodiments ofthe system containing two layers of encryption, the Outside CA may beprotected in this manner. Additionally, in this figure the OutsideCDP/OCSP responder may be placed outside of the Outside IPsec VPNgateway 320, providing access to the services provided by the CDP/OCSPresponder for devices that are not inside the outer VPN tunnel, and/orthat need access to those services prior to establishing VPNconnections. Similarly (but not shown), the Inside CDP/OCSP responder327 may be placed outside of the inner network for similar reasons.

In this embodiment, the Management System 300 or 328 may be responsibleto cause the inner or outer CA 310 to publish a CRL and transmit it tothe CDP, using in-band, out-of-band, or manual “air-gapped” means, inorder to cross domain boundaries between an inner network CA 310 and itsexternally-placed CDP/OCSP responder. The Management System may beconfigured to directly transmit the CRL, may cause the CA to transmitthe CRL, or may save the CRL to removable media, to be imported into theCDP/OCSP responder.

FIG. 3D illustrates an embodiment of the system where the configurationof the system is similar to FIG. 3B, but where the inner IPsec VPNgateway is replaced by a TLS-protected server 340. In thisconfiguration, the TLS-protected server can provide similarfunctionality to the TLS-protected server as described in FIG. 2A,providing a wide range of enterprise service functions protected by asecond layer of TLS encryption. The EUDs 380, 390, and 400 host anoutside VPN client, and client applications enabled with TLS encryption.The Management Systems 300 and 380 perform similar functions to otherembodiments described herein, and may be configured in the variety ofconfigurations illustrated throughout the descriptions.

FIG. 3E illustrates an embodiment of the system similar to FIG. 3A, butcontains the addition of Wi-Fi-based encryption equipment configured touse PKI, providing an outside layer of encryption based on Wi-Fistandards such as WPA-EAP (Wi-Fi Protected Access—ExtensibleAuthentication Protocol). In this embodiment, the addition of a Wi-Ficontroller 355 (which may be a discrete device, or be integrated intothe Wi-Fi Access Point (AP) 350) is serving as an encryption gateway.This configuration provides two layers of encryption (VPN and Wi-Fi).The controller utilizes a CA 356 and CDP/OCSP responder 357 for PKIservices. EUDs host a Wi-Fi supplicant (client software stack) and VPNclient that match the HQ/NOC/Teleport infrastructure. The ManagementSystems 300 and 358 perform similar functions to other embodimentsdescribed herein, and may be configured in the variety of configurationsillustrated throughout the descriptions. As described previously, thisconfiguration illustrates a second Provisioning System 359 which may beused to provision/manage the EUD's Wi-Fi configuration.

FIG. 3Fd illustrates an alternate CA configuration. The “Online CAarchitecture” illustrates the standard configuration shown in most ofthe preceding figures, and is included for reference. FIG. 3Gillustrates an alternate embodiment labelled “Offline CA architecture”illustrates a configuration where the Management System 300 provides theprimary communications pathway to the CA 310, so that the CA is not madedirectly available from other network devices. The Management System 300provides communication to the CDP/OCSP responder, and, in anotherembodiment, the Management System may be combined with the CDP/OCSPresponder so that the Management System itself provides those services.Online communications between encryption equipment such as IPsec VPNGateways or TLS-protected servers (not shown) may be configured to bealways online, but the CA 310 may be taken off the network and/orcompletely powered down as an additional security measure, when not inuse.

Aspects of the system can accomplish the setup and configuration ofencryption equipment using PKI using the following general process:

After authorizing operators and populating configuration informationwith default values, query authorized users for input values to be usedin the configuration.

Apply configuration information to the encryption equipment.

Instruct the encryption equipment to generate private keys andcertificate signing requests (or perform that function in the software,on behalf of equipment that does not have the capability, through anagent or provisioning system).

Transmit the CSR to the CA, (or to the Management System acting as anintermediary if the originating request comes from a Provisioning Systemor a remote Management System), through automated online means, orthrough manual means (such as with a USB device or media device like aCD-ROM).

Cause the CA to sign the certificate and optionally supply the CA'scertificate. This can be done through a CA API from a remote location,or via a portion of the system (software agent) co-resident with the CAacting as an agent.

Transmit the signed certificate and optional CA certificate back to theencryption device, and cause the device to load the certificates for usein establishing and maintaining encrypted tunnels.

FIG. 4 illustrates program control flow for one embodiment of theManagement System, following the general description above. Once thesystem confirms authorization of the operator of the Management System410, the Management System retrieves from storage and populatesin-memory configuration templates and dialog boxes withorganizationally-specified defaults 420. This enables organizations toreduce reliance on manually-entered values, reducing the likelihood oftyping or transcription errors. The template method enablesorganizations to ensure that the base configuration is compliant withorganizational policy.

Wizard screens are shown to the user in sequence 430, retrieving valuesthat cannot be specified in advance by default values. At the end of thesequence, the Management System applies the configuration information tothe encryption device as needed to prepare it for final loading ofdigital certificates 440. The Management System may use a variety ofmethods to load the configuration information, including, but notlimited to, the use of APIs, command line interfaces, and configurationfiles in any format such as XML (Extensible Markup Language), flat file,binary, etc. The Management System may use a variety of communicationmediums including IP over Ethernet, or serial connections, etc. Somedevices may need digital certificates loaded before configuration isapplied, in which case the order of operations of this wizard may bereversed.

Once the configuration is applied, the Management System queries theoperator to find out if a digital certificate is needed 450, and mayprompt for specific input values. The Management System then sendscommands to the device, causing it to generate a public/private key pairand a CSR 460. The Management System retrieves the CSR and transmits itto the CA or CA Agent 470. The CA Agent causes the CA to sign the CSR,and optionally provides a copy of the CA (master) certificate, whichenables mutual authentication 480. The Management System transmits thesigned device certificate and CA certificate 490. Lastly, the ManagementSystem (or Provisioning System) installs (or causes to be installed) thecertificates onto the encryption device 500.

FIG. 5A illustrates a process similar to that in FIG. 4, with the addedsteps of transmitting the CSR (over a trusted network link, in-band, outof band) from a remote site 560 to a central Management System receivingthe CSR on behalf of a CA 570. In this embodiment, the centralManagement System in turn transmits the CSR to the CA or CA Agent 570,and the process is reversed once the CSR is signed.

FIG. 5B illustrates a process similar to that in FIG. 5A, but withseveral added steps. If the user requests a device to generate acertificate and public/private key pair, first, the device is checked tosee if it has that capability 541. If it does not, a local provisioningsystem composed of a separate instance or subset of the ManagementSystem can either generate the key pair and certificate on behalf of thedevice, or it can communicate with an agent loaded on the device toperform that task 550. Additionally, FIG. 5B contains the added step 541that checks to see if a security administrator must pre-approve thesigning of the CSR. If so, the CSR is queued for approval by a securityadministrator (logged in and authorized to perform such functions) usingthe Management System 570. Once approved, the system proceeds throughthe rest of the process as illustrated in FIG. 5A.

FIG. 5C illustrates processes used to transmit CSRs to CAs, and totransmit signed device certificates and CA certificates from CAs toencryption devices. As described herein, numerous methods are availablefor transmission, and the Management System may be configured to supportone or all of them, as organizational policy allows. At the timetransmission is required, the Management System checks to see whichmethods are configured and available 600. If the configured method isin-band 610 or out-of-band 630, the Management System uses theconfigured interfaces and proceeds as illustrated in previous figures.To ensure the security of this process, all link types must be trusted.In the event an “air-gapped” method is configured, the Management Systemqueries users for the folder and media onto which the CSR/certificateswill be written 620. Once the user specifies the destination, theManagement System writes the information to the media 640. The media maythen be hand-carried, shipped or otherwise delivered to the ManagementSystem that is coupled to the CA 650. The media is inserted into thehost operating the Management System, and the media is read and the CSRis loaded 660. The process then proceeds as illustrated in FIG. 5A.

FIG. 6 illustrates an exemplar wizard screen querying an operator of theManagement System for input values used to configure an IPsec VPNgateway. The default values may be pre-set by organizational policies,ensuring operators do not choose incorrect values. Options may beremoved from wizard screens when fixed configuration values are known,and organizations opt to disallow operators from changing values.

FIG. 7 illustrates an exemplar wizard screen showing the set ofconfiguration parameters to apply to an IPsec VPN gateway, prior to thecommit of the settings. This screen asks operators to confirm thesettings, and also displays a checkbox that, when clicked, causes theWizard to continue past the commit of these settings, and enter into thekey generation and CSR generation phase.

FIG. 8 illustrates an exemplar wizard screen querying an operator of theManagement System for input values used to create the CSR. In thisembodiment, once the operator clicks “Next”, the Management Systemproceeds through the end-to-end process of creating the public/privatekey pair, transmitting the CSR to the CA, causing the CA to sign thecertificate and transmit it (along with the CA certificate) back to theManagement System, which in turn loads the certificate on the IPsec VPNgateway.

FIG. 9 illustrates an exemplar wizard screen displaying the processoutlined in FIG. 6, step by step, while it is underway. Finally, theoperator may click the “Close” button when the process completes. In atypical embodiment, once this process is complete, the VPN tunnels “golive” automatically.

FIG. 10 illustrates an exemplar Management System dashboard screenshowing the link status of a complete, dual, VPN-encrypted, networksystem, similar to the configuration illustrated in FIG. 2A. On the leftside of the center line is the HQ/NOC/Teleport equipment, with theManagement System (10-Core Software), and an enterprise service (NOCInner CME: a voice/video PBX, operating on unencrypted data). Also onthe left side is shown the Inner (Inside) VPN Gateway (GW) and Outer(Outside) VPN GW. The untrusted network is a WAN provided by acommercial ISP, shown at the top of the dashboard screen. On the rightside of the center line are two “remote” IPsec VPN Gateways, and finallya switch for phones conducting VoIP voice calls.

FIG. 11 illustrates a Management System device status screen, withoverall status of devices shown with Red/Green indicator lights (in thiscase, all green). The Remote Inner (Inside) gateway is highlighted, andits summary status is shown on the right. In this illustration thegateway happens to be a Cisco model 5921 IPsec Gateway running inside avirtual machine managed by VMware ESXi. The panels below show a seriesof tabs enabling a variety of management functionalities. The selectedtab in this illustration is the “VPN” tab, and it shows the status ofthe active VPN tunnel, which was created by an operator using the wizardscreens in FIG. 6 though FIG. 9.

FIG. 12 shows a sample Management System screen managing a CA, in thiscase, the Microsoft Windows CA running on Windows Server 2012 R2. Thepanels below show a variety of management functions, including tabs formanaging certificates. In this illustration, the CA tab is selected, andshows the issued and active certificates that have been signed by theCA. Buttons in this panel launch wizards to sign CSRs, exportcertificates to removable media, revoke certificates, and publish CRLsto CDP/OCSP responders.

FIG. 13A illustrates a software module and subsystem communicationsarchitecture implementing the Management System. The softwarearchitecture consists of a GUI system with user interface renderingsubsystem, the WPF Rendering Engine, and a subsystem responsible forsending execution commands to the Management System server component.The client/server architecture enables multiple clients tosimultaneously communicate with the server, providing access to theManagement System for multiple and even remote operators. The servercomponent typically (though not always) resides near the equipment undermanagement, and communicates and manages the equipment using any varietyof available interfaces.

The Management System may also communicate with other instances orsubsets of this software, where those instances act as ProvisioningSystems and Agents providing capabilities integrated with or on behalfof EUDs, CAs, and other encryption equipment, where those devicesrequire supplementation to function in the overall architecture. Thecommunications links between the Provisioning Systems, Agents andManagement System server can be secured using a variety of methods,providing a secure channel between them, which also may not be availablewithout the deployment of the Agents or Provisioning Systems.

FIG. 13B illustrates details of the Agents or Provisioning Systems.These systems may use the same internal architecture as the ManagementSystem, but provide interfaces to only the device or device(s) undermanagement, with reduced functionality. In FIG. 13B, the ManagementSystem boxes are simplified for illustration purposes, and theAgent/Provisioning Server is shown as using the identical architectureto the Management System Server in FIG. 13A, with the exception thatonly Mobile Device(s) and CAs are supported as example devices undermanagement. In typical embodiments, the Mobile Devices and CAs will bemanaged by separate instances of the Agent/Provisioning Server code.Additionally, while the Agent instance of this software is designed tobe “headless” in that it has no GUI, the Provisioning System may supportGUI access in a manner and design similar to the GUI in FIG. 13A.

Remarks

The above description and drawings are illustrative, and are not to beconstrued as limiting. Numerous specific details are described toprovide a thorough understanding of the disclosure. However, in someinstances, well-known details are not described in order to avoidobscuring the description. Further, various modifications may be madewithout deviating from the scope of the embodiments.

Reference in this specification to “one embodiment” or “an embodiment”means that a particular feature, structure or characteristic describedin connection with the embodiment is included in at least one embodimentof the disclosure. The appearances of the phrase “in one embodiment” invarious places in the specification are not necessarily all referring tothe same embodiment, nor are separate or alternative embodimentsmutually exclusive of other embodiments. Moreover, various features aredescribed which may be exhibited by some embodiments and not by others.Similarly, various requirements are described which may be requirementsfor some embodiments but not for other embodiments.

The terms used in this specification generally have their ordinarymeanings in the art, within the context of the disclosure, and in thespecific context where each term is used. It will be appreciated thatthe same thing can be said in more than one way. Consequently,alternative language and synonyms may be used for any one or more of theterms discussed herein, and any special significance is not to be placedupon whether or not a term is elaborated or discussed herein. Synonymsfor some terms are provided. A recital of one or more synonyms does notexclude the use of other synonyms. The use of examples anywhere in thisspecification, including examples of any term discussed herein, isillustrative only and is not intended to further limit the scope andmeaning of the disclosure or of any exemplified term. Likewise, thedisclosure is not limited to various embodiments given in thisspecification. Unless otherwise defined, all technical and scientificterms used herein have the same meaning as commonly understood by one ofordinary skill in the art to which this disclosure pertains. In the caseof conflict, the present document, including definitions, will control.

Unless the context clearly requires otherwise, throughout thedescription and the claims, the words “comprise,” “comprising,” and thelike are to be construed in an inclusive sense, as opposed to anexclusive or exhaustive sense; that is to say, in the sense of“including, but not limited to.” As used herein, the terms “connected,”“coupled,” or any variant thereof means any connection or coupling,either direct or indirect, between two or more elements; the coupling orconnection between the elements can be physical, logical, or acombination thereof. Additionally, the words “herein,” “above,” “below,”and words of similar import, when used in this application, refer tothis application as a whole and not to any particular portions of thisapplication. Where the context permits, words in the above DetailedDescription using the singular or plural number may also include theplural or singular number respectively. The word “or,” in reference to alist of two or more items, covers all of the following interpretationsof the word: any of the items in the list, all of the items in the list,and any combination of the items in the list.

The teachings of the technology provided herein can be applied to othersystems, not necessarily the system described above. The elements andacts of the various examples described above can be combined to providefurther implementations of the technology. Some alternativeimplementations of the technology may include not only additionalelements to those implementations noted above, but also may includefewer elements.

These and other changes can be made to the technology in light of theabove Detailed Description. While the above description describescertain examples of the technology, and describes the best modecontemplated, no matter how detailed the above appears in text, thetechnology can be practiced in many ways. Details of the system may varyconsiderably in its specific implementation, while still beingencompassed by the technology disclosed herein. As noted above,particular terminology used when describing certain features or aspectsof the technology should not be taken to imply that the terminology isbeing redefined herein to be restricted to any specific characteristics,features, or aspects of the technology with which that terminology isassociated. In general, the terms used in the following claims shouldnot be construed to limit the technology to the specific examplesdisclosed in the specification, unless the above Detailed Descriptionsection explicitly defines such terms. Accordingly, the actual scope ofthe technology encompasses not only the disclosed examples, but also allequivalent ways of practicing or implementing the technology under theclaims.

We claim:
 1. A method to establish encrypted communications, the methodcomprising: maintaining a dataset of default encryption values forimplementing a selected one of a plurality of encryption policiesassociated with one or more organizations; querying, via a graphicaluser interface (GUI), a user to input values for configuring anencryption device; sending, via in-band or out-of-band communicationsmethods, the input values, and at least a portion of the defaultencryption values to the encryption device, for configuring theencryption device based on the selected one of the plurality ofencryption policies; based on the input values and the at least aportion of the default encryption values, sending first instructions tothe encryption device to a generate private key and a certificatesigning request or performing the generation of the private key and thecertificate signing request on behalf of the encryption device;transmitting the certificate signing request to a certificate authorityfor signature; sending second instructions to the certificate authorityto sign the certificate signing request; and transmitting the signedcertificate to the encryption device, wherein the transmitting thesigned certificate to the encryption device causes the encryption deviceto load the signed certificate for use in establishing and maintainingencrypted communication in accordance with the selected one of theplurality of encryption policies.
 2. The method of claim 1, wherein theencryption device is a first encryption device, wherein the input valuesare first input values, wherein the private key is a first private key,wherein the certificate signing request is a first certificate signingrequest, wherein the certificate authority is a first certificateauthority, and wherein the method further comprises: querying, via theGUI, the user to input second input values for configuring a secondencryption device; sending the second input values and a second portionof the default encryption values settings to the second encryptiondevice for configuring the second encryption device based on a selectedsecond one of the plurality of encryption policies; sending thirdinstructions to the second encryption device to generate a secondprivate key and a second certificate signing request or performing thegeneration of the second private key and the second certificate signingrequest on behalf of the second encryption device; transmitting thesecond certificate signing request to the first certificate authority orsecond certificate authority for signature; sending fourth instructionsto the first or second certificate authority to sign the secondcertificate signing request; and transmitting the second signedcertificate to the second encryption device, wherein the transmittingthe second signed certificate to the second encryption device causes thesecond encryption device to load the second signed certificate for usein establishing and maintaining encrypted tunnels for communication,wherein the encrypted tunnels are partially based on the firstencryption device implementing encryption at a first layer of acommunication stack and the second encryption device implementingencryption on a second layer of the communication stack.
 3. The methodof claim 2, wherein the certificate authority is a first certificateauthority, and wherein the first and second encryption devices, thefirst certificate authority, and a second certificate authority arelocated in the same location and commutatively coupled to a managementsystem.
 4. The method of claim 1, wherein the encryption device is in aremote location relative to the certificate authority, and a managementsystem communicates indirectly to the certificate authority orindirectly to the encryption device.
 5. The method of claim 1, whereinan intermediary system is configured to facilitate the signing of thecertificate signing request on behalf of the encryption device byimplementing an application program interface (API).
 6. The method ofclaim 1, wherein the querying the user for input values furthercomprising: receiving, via the GUI, a request from the user that causesa management system to perform the transmitting the certificate signingrequest to the certificate authority and to perform the transmitting thesigned certificate to the encryption device.
 7. The method of claim 1,wherein the user is a first user, further comprising: implementing aseparation of duties method, wherein the separation of duties methodincludes: causing a management system, in response to the first user, tocause the certificate signing request to be generated on the encryptiondevice, and wherein the management system queues the certificate signingrequest for a second user for approval; sending, via the managementsystem, the certification signing request to the certificate authorityto causes the certificate signing request to be signed; and retrieving,via the management system, the signed certificate and loading it on theencryption device, or queuing it for the first user, wherein the firstuser causes the management system to load the signed certificate ontothe encryption device.
 8. The method of claim 1, further comprising: inresponse to receiving a selection of a revoke option via the GUI torevoke the signed certificate, sending instructions to the encryptiondevice to terminate a current private session, which otherwise would beterminated at expiration of a private key session.
 9. The method ofclaim 1, further comprising: performing the generation of the privatekey and the certificate signing request on behalf of the encryptiondevice. if the encryption device cannot autonomously generate theprivate key and the certificate signing request.
 10. A non-transitorycomputer-readable medium encoded with instructions that, when executedby a processor, perform a method for securing communications for adevice, the method comprising: maintaining a dataset of defaultencryption values for implementing a selected one of a plurality ofencryption policies associated with one or more organizations; querying,via a graphical user interface (GUI), a user to input values forconfiguring an encryption device; sending, via in-band or out-of-bandcommunications methods, the input values, and at least a portion of thedefault encryption values to the encryption device, for configuring theencryption device based on the selected one of the plurality ofencryption policies; based on the input values and the at least aportion of the default encryption values, sending first instructions tothe encryption device to a generate private key and a certificatesigning request or performing the generation of the private key and thecertificate signing request on behalf of the encryption device;transmitting the certificate signing request to a certificate authorityfor signature; sending second instructions to the certificate authorityto sign the certificate signing request; and transmitting the signedcertificate to the encryption device, wherein the transmitting thesigned certificate to the encryption device causes the encryption deviceto load the signed certificate for use in establishing and maintainingencrypted communication in accordance with the selected one of theplurality of encryption policies.
 11. The non-transitorycomputer-readable medium of claim 10, wherein the encryption device is afirst encryption device, wherein the input values are first inputvalues, wherein the private key is a first private key, wherein thecertificate signing request is a first certificate signing request,wherein the certificate authority is a first certificate authority, andwherein the method further comprises: querying, via the GUI, the user toinput second input values for configuring a second encryption device;sending the second input values and a second portion of the defaultencryption values to the second encryption device for configuring thesecond encryption device; sending third instructions to the secondencryption device to generate a second private key and a secondcertificate signing request or performing the generation of the secondprivate key and the second certificate signing request on behalf of thesecond encryption device; transmitting the second certificate signingrequest to the first certificate authority or a second certificateauthority for signature; sending fourth instructions to the first orsecond certificate authority to sign the second certificate signingrequest; and transmitting the second signed certificate to the secondencryption device, wherein the transmitting the second signedcertificate to the second encryption device causes the second encryptiondevice to load the second signed certificate for use in establishing andmaintaining encrypted tunnels for communication, wherein the encryptedtunnels are partially based on the first encryption device implementingencryption at a first layer of a communication stack and the secondencryption device implementing encryption on a second layer of thecommunication stack.
 12. The non-transitory computer-readable medium ofclaim 11, the certificate authority is a first certificate authority,and wherein the first and second encryption devices, the firstcertificate authority, and the another a second certificate authorityare located in the same location and commutatively coupled to amanagement system.
 13. The non-transitory computer-readable medium ofclaim 10, wherein the encryption device is in a remote location relativeto the certificate authority, and a management system communicatesindirectly to the certificate authority or indirectly to the encryptiondevice.
 14. The non-transitory computer-readable medium of claim 10,wherein the intermediary system is configured to sign the first andsecond certificate signing request on behalf of the first and secondencryption devices by implementing an application program interface(API).
 15. The non-transitory computer-readable medium of claim 10,wherein the querying the user for input values further comprising:receiving, via the GUI, a request from the user that causes a managementsystem to perform the transmitting the certificate signing request tothe certificate authority and to perform the transmitting the signedcertificate to the encryption device.
 16. The non-transitorycomputer-readable medium of claim 10, wherein the user is a first user,further comprising: implementing a separation of duties method, whereinthe separation of duties method includes: the first user causing amanagement system, in response to the first user, to cause thecertificate signing request to be generated on the encryption device,and wherein the management system queues the certificate signing requestfor a second user for approval; sending, via the management system, thecertification signing request to the certificate authority to causes thecertificate signing request to be signed; and retrieving, via themanagement system, the signed certificate and loading it on theencryption device, or queuing it for the first user, wherein the firstuser causes the management system to load the signed certificate ontothe encryption device.
 17. The non-transitory computer-readable mediumof claim 10, further comprising: in response to receiving a selection ofa revoke option via the GUI to revoke the signed certificate, sendinginstructions to the encryption device to terminate a current privatesession, which otherwise would be terminated at expiration of a privatekey session.
 18. The non-transitory computer-readable medium of claim10, wherein the method further comprises: performing the generation ofthe private key and the certificate signing request on behalf of theencryption device if the encryption device cannot autonomously generatethe private key and the certificate signing request.
 19. A computersecurity system, comprising: a management system configured to maintaina dataset of default encryption values for implementing a selected oneof a plurality of encryption policies associated with one or moreorganizations, and to validate and load multiple encryption methods formultiple devices on behalf of the multiple devices based upon thedefault encryption values and one or more of the plurality of encryptionpolicies; a provisioning system configured to implement theconfiguration of the multiple encryption methods associated with theplurality of encryption policies and on behalf of the multiple devices;and a graphical user interface (GUI) system configured to provide anencryption status of the multiple devices and configured to receive arequest to stop an encryption session for at least one of the multipledevices.
 20. The computer security system of claim 19, wherein themanagement system is further configured to communicate with certificateauthority systems to generate signed certificates on behalf of themultiple devices.
 21. The computer security system of claim 19, whereinthe management system is configured to revoke a certificate associatedwith an encryption session.
 22. The computer security system of claim19, wherein the GUI is further configured to provide an administrator atleast a single window view of each of the encryption statuses of themultiple devices.